Release Notes for McAfee(R) VirusScan(R) Enterprise Version 8.0i Patch 16 Copyright (C) 2007 McAfee, Inc. All Rights Reserved ========================================================== Patch Release: 26 November 2007 This release was developed and tested with: - VirusScan Enterprise:8.0i - DAT Version: 5162, November 13 2007 - Engine Version: 5.2.00 Make sure you have installed these versions before using this release. ========================================================== Thank you for using VirusScan(R) Enterprise software. This file contains important information regarding this release. We strongly recommend that you read the entire document. The attached files are provided as is, and with no warranty either expressed or implied as to their suitability for any particular use or purpose. McAfee, Inc. assumes no liability for damages incurred either directly or indirectly as a result of the use of these files, including but not limited to the loss or damage of data or systems, loss of business or revenue, or incidental damages arising from their use. Patch files should be applied only on the advice of McAfee Technical Support, and only when you are actually experiencing the issue being addressed by the Patch. Patch files should not be proactively applied in order to prevent potential product issues. You are responsible for reading and following all instructions for preparation, configuration, and installation of Patch files. Patch files are not a substitute or replacement for product Service Packs which may be released by McAfee, Inc. It is a violation of your software license agreement to distribute or share these files with any other person or entity without written permission from McAfee, Inc. Further, posting of McAfee Patch files to publicly available Internet sites is prohibited. McAfee, Inc. reserves the right to refuse distribution of Patch files to any company or person guilty of unlawful distribution of McAfee software products. Questions or issues with McAfee Patch files should be directed to McAfee Technical Support. __________________________________________________________ WHAT'S IN THIS FILE - About This Release - Purpose - Resolved Issues - Previously Resolved Issues - Known Issues - Files Included With This Release - Installation - Installation Requirements - Installation Steps - Installation Steps via ePolicy Orchestrator - Additional Steps for Anti-Spyware Enterprise Module - Installation Steps via McAfee Installation Designer - Verifying Installation - Contact Information - Copyright & Trademark Attributions - License Information __________________________________________________________ ABOUT THIS RELEASE PURPOSE This release combines previous Patches and updated binaries into a single Microsoft Patch installer to address all items listed in "Resolved Issues" and "Previously Resolved Issues" below. For the most update-to-date copy of this Readme information, refer to McAfee Support KnowledgeBase article 614252. RESOLVED ISSUES 1. ISSUE: Certain applications exhibited a much heavier CPU load with VirusScan Enterprise’s Buffer Overflow protection enabled. RESOLUTION: The buffer overflow engine was restructured to bypass expensive evaluations when inexpensive tests had already given conclusive information. 2. ISSUE: If a request to open a file is blocked by an Access protection rule, and the filter driver is not prepared to accept the status code indicating that the file contents require flushing, the system may halt with a STOP 0x50. RESOLUTION: The AV filter driver has been revised to ensure files are properly closed if access to the file was blocked by the Access Protection feature. 3. ISSUE: Some potentially unwanted programs could be detected even though they were added to the exclusion list. RESOLUTION: The common shell binary has been updated to better handle specific return codes from the scanner engine. 4. ISSUE: When upgrading from VirusScan Enterprise 8.0i to 8.5i the Lotus Notes Scanner may fail to upgrade properly if the Lotus Notes Client was open. RESOLUTION: The VirusScan Enterprise 8.0i Lotus Notes Scanner now becomes dormant during the installation of VirusScan Enterprise 8.5i and the new scanner is enabled upon reboot. NOTE: This fix has the ability to install to Lotus Notes version 7.x. However, it does not add any additional support for the scanner on Lotus Notes 7.x. 5. ISSUE: The Access Protection, port blocking white list is limited to 1024 characters. RESOLUTION: The buffer sizes for the white list have now been increased from 1024 characters to 2500 characters. Also, the VirusScan NAP will now accept up to 2500 characters for the white list. 6. ISSUE: The VirusScan Enterprise management plug-in writes all settings to the registry on every policy enforcement. This increased the risk for registry corruption. RESOLUTION: The VirusScan Enterprise management plug-in now writes to the registry only when there is a difference between the current policy and the contents of the registry. 7. ISSUE: The VirusScan Enterprise On-Demand Scanner would end scanning of cookies (requires McAfee AntiSpyware Module) after detecting the first cookie. RESOLUTION: The Common Shell component has been corrected to solve an issue where the scan was being terminated prematurely. 8. ISSUE: "User Defined Detection" settings are in effect even when the "Detect Unwanted Programs" setting, for the scanner, is disabled. RESOLUTION: Changes have been made so that when the "Detect Unwanted Programs" setting is disabled, "User Defined Detections" settings are included with the setting. PREVIOUSLY RESOLVED ISSUES 9. ISSUE: When resuming from hibernation, the system tray icon may be in the disabled state, reflecting the status of the on-access scanner. However, the scanner service is functioning normally. RESOLUTION: The system tray icon now reflects the correct state of the on-access scanner when resuming from hibernation. 10. ISSUE: Microsoft Outlook 2003 can hang while receiving a new email when a previous mail, containing a hyperlink, has that hyperlink highlighted by pointing the mouse on it. RESOLUTION: The OutlookScan binary has been updated to resolve a conflict while scanning RichEditControl. 11. ISSUE: In certain circumstances, OutlookScan causes a system crash with Microsoft Outlook 2007. RESOLUTION: The OutlookScan binary has been updated to add support for Microsoft Outlook 2007. NOTE: CMA 3.6.0 is required for OutlookScan to function correctly on Microsoft Outlook 2007. 12. ISSUE: Some reference count issues, leading to a double free and subsequent blue screen error, as well as third-party compatibility issues might occur with VirusScan’s Mini-Firewall driver. RESOLUTION: The Mini-Firewall driver has been updated to resolve these issues. NOTE: A reboot is needed to load the updated binary into memory. The package installation does not force the reboot. 13. ISSUE: The on-access scanner clean file scan-cache resets after policy enforcement from ePolicy Orchestrator or Protection Pilot, even though the scanning configuration has not changed. RESOLUTION: The clean file scan-cache no longer resets during policy enforcement unless the scanning configuration has changed. 14. ISSUE: In an ePolicy Orchestrator or Protection Pilot managed environment, the definitions update might fail saying, "Error occurred while copying SCAN.DAT. File is locked or missing from the package." The DAT files are locked after VirusScan Enterprise management plug-in loads the engine and encounters a failure. RESOLUTION: The VirusScan Enterprise management plug-in has been updated to release the engine if it fails to load. 15. ISSUE: The Buffer Overflow feature might issue a request for security information when it interrupted a program that temporarily blocked Windows Security Authority (LSASS.EXE), causing a deadlock. This might cause other programs to stop responding if they attempt an operation that depends on the Windows Security Authority. RESOLUTION: The Buffer Overflow feature no longer requires information from the Windows Security Authority when evaluating a potential buffer overflow. 16. ISSUE: When running an on-demand scan, the number of infections displayed on the GUI is twice the actual number of detections. Log files and Events are not affected by this behavior. RESOLUTION: The on-demand scanner console plug-in was updated to remove redundant detection counters. 17. ISSUE: When the on-demand scanner encounters an archive containing multiple infections, the first infection that caused the Move action to occur on the archive, causes any additional infections to show as "Move Failed." RESOLUTION: The Common Shell component has been updated to bring the on-demand scanner in line with other scanners’ functionality. The on-demand scanner ends scanning on the archive after the Move action is taken. 18. ISSUE: File operations invoked on IBM’s ClearCase file system (MVFS) might cause our AV filter driver to leak memory. Our driver can see folder OPEN requests but never the CLOSE requests. RESOLUTION: The AV filter driver has been updated to exclude file operations of IBM’s MVFS file system from scanning operations. 19. ISSUE: The Buffer Overflow component disables itself when the Host Intrusion Prevention client is installed. However, when IPS is disabled, Buffer Overflow Protection remains disabled.   RESOLUTION: The on-access scanner service has been updated to monitor Host Intrusion Prevention, and to re-enable Buffer Overflow Protection if IPS is disabled.   NOTE: This applies only to Host Intrusion Prevention 6.1.0 or higher. See the documentation for Host IPS for more information. 20. ISSUE: A boot sector virus was not detected when the on-access scanner configuration is set to Clean infections automatically. When configured to any other action, the boot sector virus was found. RESOLUTION: The on-access scanner executable, MCSHIELD.EXE, now detects boot sector viruses when the action is configured to Clean. 21. ISSUE: Laptop computers that were not connected to the network and configured to use centralized alerting, could take upwards of three minutes to log in. The centralized alerting server could not be contacted over the network. RESOLUTION: Alerts that are generated by VirusScan Enterprise on startup and shutdown, using centralized alerting, can now be suppressed. Add the dWORD value "bSuppressStartupCentralAlerts" and set it to the number one, located in the registry at: HKLM\SOFTWARE\Network Associates\TVD\Shared Components\Alert Client\VSE 22. ISSUE: The ScriptScan feature loaded into the memory space of any process that launched a script (VBScript or JScript). RESOLUTION: Processes can now be excluded from having ScriptScan provide protection to that process. The process name, without extension, can be added to the registry string "ExcludedProcesses," located at: HKLM\SOFTWARE\Network Associates\TVD\Shared Components\On Access Scanner\ScriptScan Additional process names can be added, separated by a "," comma. 23. ISSUE: Microsoft Outlook may stop responding when receiving emails that had attachments with double-byte file names, or very long file names. RESOLUTION: The McAfee EmailScan Outlook add-in, SCANEMAL.DLL, is updated to resolve this issue. 24. ISSUE: A potential race condition existed when a third-party program initialized, possibly causing the application to fail. The symptom did not occur when the Buffer Overflow feature was disabled. RESOLUTION: The Buffer Overflow process hooking now allows a delay time to be specified (in milliseconds) that will delay when hooking occurs. This is implemented by modifying the Windows Registry. If this solution needs to be implemented please contact McAfee Technical Support. 25. ISSUE: A Power User could not modify configuration settings for the EmailScan feature. Other configuration settings could be modified. RESOLUTION: EmailScan configuration settings can now be modified by Power Users. 26. ISSUE: The network drive scanning option of the on-Access scanner would sometimes fail to scan remote files. RESOLUTION: The file-system filter driver has been updated to resolve this issue. 27. ISSUE: Itanium 64-bit servers would experience a bugcheck (blue screen error) if a file-system filter driver newer than the version included in Patch 11 was installed. RESOLUTION: The file-system filter driver has been updated to resolve this issue. 28. ISSUE: During an update the VirusScan Enterprise plug-in could return an erroneous error: "CPluginManager::callback_GetPolicyA failed (hr=-1201) to get Wrkstn_General – DisableMASOAS for VIRUSCAN8000" The Desktop Firewall "Quarantine Mode" feature would keep the system in quarantine mode. RESOLUTION: The VirusScan Enterprise plug-in no longer returns the described error. 29. ISSUE: Adding an older VirusScan Enterprise Patch update to a repository would cause the older update to be retrieved and executed. Both Patch updates would report as installed. RESOLUTION: The Patch update detection script now proceeds with the update if a newer Patch is not already installed. This applies to all future Patches. 30. ISSUE: On 64-bit systems, the Patch validation process fails, causing the Patch version to not report correctly. In the "About" screen and in ePolicy Orchestrator properties the version was reported as "None." RESOLUTION: Patch versions now report the expected patch version when the Patch validation process is successful. 31. ISSUE: After Patch 12 or Patch 13 was installed the Browse button for the Quarantine folder did not function. RESOLUTION: The Browse button functionality has been corrected. 32. ISSUE: Tools that view the debug window captured output from the on-demand scan feature, when the scan was configured to use less than 100% CPU. RESOLUTION: On-demand scans no longer output data to the debug window. 33. ISSUE: The Buffer Overflow user interface did not have boundary checking, and could be used to terminate the on-access scanner. Further explained in the knowledge base, article 2558797. RESOLUTION: The Buffer Overflow user interface now has boundary checking. Also, the on-access scanner will not crash when invalid data is input by the user. 34. ISSUE: When Patch 13 was installed to localized versions of VirusScan Enterprise, the README.TXT file was replaced with the English version. RESOLUTION: The README.TXT file is not replaced in this release. 35. ISSUE: Significant performance loss may be experienced by processes that frequently write data to the same file, usually an .INI or .LOG file, and usually multiple writes per second. The issue was only noticed after applying VSE80HF256301. RESOLUTION: The file system filter driver has been updated to resolve the issue. 36. ISSUE: McAfee Installation Designer (MID) creates VirusScan Enterprise installation files that include a configuration change file (VSECFG.CAB). If also managed by McAfee AutoUpdate Architect (MAA), where a configuration change file is hosted in the repository, after a patch update the original configuration change file is installed and applied. Updating from the MAA repository again does not reapply the newer configuration change file. RESOLUTION: After this Patch release is installed, the most recent configuration change file (.CAB file) is applied. NOTE: If VSECFG.CAB has been deleted, it is created and the settings applied when a Patch is installed. 37. ISSUE: Access Protection rules that contain references to a drive letter may not work on Dynamic Disk volumes. RESOLUTION: The file-system filter driver has been updated to resolve this issue. 38. ISSUE: Installing Patch 12 to systems where Patch 11 was installed could result in a successful patch installation, although the product still shows Patch 11 is installed. RESOLUTION: This release ensures that updating systems with Patch 11 will show the newer patch is installed after successful installation. 39. ISSUE: Where the ScriptScan module, SCRIPTPROXY.DLL, was unregistered, or disabled after HotFix 241572 was applied, the patch installation would reregister SCRIPTPROXY.DLL. RESOLUTION: This release does not register the ScriptScan module. 40. ISSUE: Patch installations via ePolicy Orchestrator or Protection Pilot, where the Patch failed to install on the end node, would not make further attempts to install. The installation detection script would write a registry value confirming the Patch was installed before installation had completed. RESOLUTION: The installation detection script used by ePolicy Orchestrator and Protection Pilot now writes a registry value confirming the Patch is installed when the installation is completed. 41. ISSUE: Detection alerts from the Cookie Scan feature can be of sufficient number to cause concern. RESOLUTION: Alerts for cookie detections can now be disabled by adding a dWORD "bCookieAlerts" to the registry, and setting the value to "0" zero. This release does not add the value. HKLM\Software\Network Associates\TVD\Shared Components\Alert Client\VSE 42. ISSUE: Where the Anti-Spyware Module was checked into an ePolicy Orchestrator or Protection Pilot repository, after a current Patch was installed the module would attempt to install repeatedly. RESOLUTION: This is resolved by HotFix MASE80HF273746 included with this release. See also "Known Issues" number 1. 43. ISSUE: Local tasks would fail to run at the scheduled time if created after Patch 12 or later was applied. The corresponding task configuration file was being modified with incorrect data. RESOLUTION: This release ensures the task configuration files contain correct data. 44. ISSUE: A "Cannot find the file specified" error message could occur when starting Lotus Notes via a shortcut, or when starting Lotus Notes from a shell. The same error message could occur when third-party applications that inject an add-on into Lotus Notes attempt to invoke the McAfee Lotus Notes scanner extensions and fail to find NCDAEMON.EXE. RESOLUTION: NCDAEMON.EXE now loads successfully. 45. ISSUE: A third-party application working with scripts can encounter an access violation error if it passes a NULL pointer to the Script Scan module (SCRIPTPROXY.DLL). The Script Scan module does not refer a NULL pointer. RESOLUTION: The Script Scan module can now refer NULL pointers. 46. ISSUE: The Japanese version of VirusScan Enterprise, when detecting an infected Lotus Notes email, takes action upon the note as expected, but removes the original message body. RESOLUTION: The original message body is always preserved. When the sending client is not Lotus Notes or is a different version of Lotus Notes, the warning text and infected attachment may be removed. 47. ISSUE: The on-access scanner sometimes scans a process in memory when the scanner service is starting. RESOLUTION: The on-access scanner does not scan processes in memory. 48. ISSUE: When installed to the debug build of Windows 2003 Server, VirusScan Enterprise causes a blue screen (BSOD) from handling a Unicode instruction. RESOLUTION: The issue has been resolved in the updated McAfee file system filter driver. 49. ISSUE: On Microsoft Windows XP SP2, or Windows XP SP1 with Security Update 885835, a memory-mapped write operation may not complete correctly. The Set EndOfFileInformation IRP was being issued twice to the file system. RESOLUTION: The AV filter driver has been updated to correctly issue a single Set EndOfFileInformation IRP. 50. ISSUE: A potentially unwanted program contained in an archive file was detected by an on-demand scan, even when that program was excluded. RESOLUTION: The on-demand scan now correctly excludes potentially unwanted programs contained in archive files, when configured to exclude them. 51. ISSUE: Some third-party applications crashed under various conditions when the Script Scan feature was installed. Note that the feature did not have to be enabled. The crash was caused by a synchronization issue when Script Scan initialized the scan engine. RESOLUTION: The synchronization issue has been resolved in the updated McAfee file-system filter driver. 52. ISSUE: When the "Blocking" feature of the on-access scanner was configured to "Block if an unwanted program is detected," the feature blocked a remote user even when the potentially unwanted program was excluded from detection. RESOLUTION: Potentially unwanted programs that are excluded from detection are not blocked by the on-access scanner "Blocking" feature. 53. ISSUE: If the on-access scanner was configured to be disabled and a system entered hibernation mode, the on-access scanner was enabled once the system awakened. Note that the shield icon and Service Control Manager showed that the scanner service was disabled. RESOLUTION: If disabled prior to entering hibernation, the on-access scanner now remains disabled after leaving hibernation mode. 54. ISSUE: On some Microsoft Windows 2000 Service Pack 4 systems, the Winlogon process can crash when a McAfee update task is launched. This issue occurred only after Patch 10 was installed, which contained an updated SCRIPTPROXY.DLL. RESOLUTION: The Script Scan binary, SCRIPTPROXY.DLL, is updated to resolve this issue. 55. ISSUE: When the McAfee Anti-Spyware module is installed and an on-demand scan task is configured to scan cookies, the on-demand scan can crash. RESOLUTION: The shared library, MYTILUS.DLL, has been updated to resolve this issue. 56. ISSUE: The Reg/Lowzones Trojan was not detected by the on-demand scanner when the primary action was "Clean files automatically." More information about this Trojan can be found in the virus library: http://vil.nai.com/vil/content/v_127723.htm RESOLUTION: The on-demand scanner now takes appropriate action against the Trojan. 57. ISSUE: An incompatibility existed between some monitoring software packages and the Buffer Overflow protection feature of VirusScan Enterprise. This was due to a conflict in hooking mechanisms being used. Software identified includes SpectorSoft, and WebRoot SpySweeper. RESOLUTION: The hooking mechanism of the Buffer Overflow feature has been modified to be more compatible with most third-party applications. 58. ISSUE: A C2 blue screen error (BSOD) could occur when the Buffer Overflow feature was enabled. This was seen as a stop code of 0x000000c2 with the following parameters (0x00000047, 0x84b83000, 0x00004b83, 0x000f1ffb). RESOLUTION: The Buffer Overflow driver has been updated to resolve the issue. 59. ISSUE: An error in MCSHIELD.EXE can occur on shutdown. The memory address referred to in the error message is 0x77f966bc or 0x7c964ed1. This occurred from attempts to close handles that were no longer valid. RESOLUTION: The software only closes valid handles on shutdown. 60. ISSUE: An incompatibility with some third-party software was identified that could cause LSASS.EXE to perpetually use 100% of CPU resources, when Buffer Overflow protection was enabled. The Buffer Overflow feature was in a loop. RESOLUTION: The Buffer Overflow feature is updated to identify when third-party software creates this loop, and no longer causes the loop to be perpetual. 61. ISSUE: On Microsoft Windows 2003 Server with Service Pack 1, the Buffer Overflow feature does not function. RESOLUTION: This release updates the Buffer Overflow feature to function properly with the Microsoft service pack applied. 62. ISSUE: If you entered an exclusion for the Buffer Overflow feature, which is case-sensitive, it was converted to lowercase, making the exclusion invalid. RESOLUTION: The text entered for the exclusion is preserved correctly. 63. ISSUE: When the on-access scanner timed out while scanning a file, the event was reported to ePolicy Orchestrator or Protection Pilot as a virus named "_". RESOLUTION: With this release, the on-access scanner time-outs are not reported as a virus. 64. ISSUE: The "All Port Blocking Events" query produced an error when the ePolicy Orchestrator or Protection Pilot database was on a SQL7 or MSDE v1 server. RESOLUTION: The "All Port Blocking Events" query has been corrected. 65. ISSUE: Events are not processed if the language of the account used to access SQL is not English, and the current day of the month is greater than 12. RESOLUTION: This issue is resolved in the updated Extended NAP file. 66. ISSUE: ePolicy Orchestrator or Protection Pilot reports might contain sentences that overlap, and chart labels might be illegible. RESOLUTION: This issue is resolved in the updated Extended NAP file. 67. ISSUE: On-demand scan tasks configured to stop after running for a specified amount of time might not stop at the appointed time. The VirusScan Enterprise plug-in did not identify the correct task. RESOLUTION: The VirusScan Enterprise plug-in has been updated to stop the correct scan task after the specified amount of time. 68. ISSUE: In some environments the VirusScan Enterprise Patch 10 release encountered an installation issue where the Windows Installer service would hang (published in the knowledge base as article KB40498). RESOLUTION: The installation of this release temporarily disables the Buffer Overflow feature only if it is enabled, and enables it again once the installation is complete. 69. ISSUE: Alert messages sent to McAfee Alert Manager sometimes displayed a user name of "System." RESOLUTION: The correct user name is now sent in the alert message. 70. ISSUE: An event is captured by the Event log service with the ID of 6004. This only occurred after installing VirusScan Enterprise 8.0i, and occurred when the McAfee TDI filter driver was loaded. RESOLUTION: This is resolved with the updated McAfee TDI filter driver. 71. ISSUE: A blue screen error (BSOD) could be seen on a server operating system, often with a bug check code of D1. RESOLUTION: This is resolved with the updated McAfee TDI filter driver. 72. ISSUE: PatchLink, a third-party application, will crash when the Script Scan module is installed. RESOLUTION: Updates made to the Script Scan module, SCRIPTPROXY.DLL, and a shared scanner module, MYTILUS.DLL, resolve the issue. 73. ISSUE: A delay may be noticed when a computer system shuts down. Shutdown progresses at a normal rate if the McTaskManager service is stopped before shutdown. RESOLUTION: VSTSKMGR.EXE, the McTaskManager service, has been updated to correct this issue. 74. ISSUE: During an engine update, scanner components may not unload the scan engine, resulting in failure to update the Engine because it is still in use. RESOLUTION: VSTSKMGR.EXE has been updated to ensure successful Engine updates. 75. ISSUE: A memory leak occurred in non-page pool memory when accessing files via the network redirector. The TDI driver did not release memory that had been allocated for identifying Source IP information. RESOLUTION: Memory is properly released by the TDI driver. 76. ISSUE: If the TDI driver received an I/O Request Packet (IRP) that did not have enough stack locations to be passed down the stack, a new IRP was created and the original IRP was left uncompleted. This resulted in a small memory leak. RESOLUTION: The original IRP is now completed. 77. ISSUE: A driver conflict between the McAfee TDI driver and a driver from Aventail VPN Client software could result in NetBIOS network connectivity being lost. RESOLUTION: NetBIOS network connectivity functions as expected when these applications are installed. 78. ISSUE: When a system was under considerable file I/O stress, and the path information of a file was not examined correctly by the exclusion library, an excluded file or a file inside an excluded folder could be scanned. RESOLUTION: The exclusion library has been updated to ensure that file path information is examined correctly under any stress condition. 79. ISSUE: Malformed JPEG files taking advantage of the MS04-028 exploit could be rendered by a browser -– without first having to cache files locally -- to induce an attack on the system. Details of the security bulletin can be found at: http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx RESOLUTION: The processes monitored by the Buffer Overflow Protection feature are protected against malicious code attempting to execute after exploiting the MS04-028 vulnerability. IMPORTANT: When a buffer overflow has occurred, the affected process may become unstable and may need to be restarted. This Patch release is not a substitute for any security patch(es) provided by Microsoft to resolve the MS04-028 vulnerability. 80. ISSUE: Toolbar icons in some applications, including IBM WebSphere Studio, display as black boxes. RESOLUTION: Toolbar icons now display as expected. 81. ISSUE: Web Inspector from Zixcorp would encounter an error upon initializing, usually seen at logon. RESOLUTION: Web Inspector now loads without issue. 82. ISSUE: Windows Media Player 10 could stop responding after you select the option to listen to a "Radio" stream, then select the "Music" tab. RESOLUTION: Windows Media Player 10 operates correctly without interruption when you change from the "Radio" tab to "Music" tab, and vice versa. NOTE: Once the Patch is applied, a reboot may be required to resolve this issue. 83. ISSUE: List boxes and message boxes in .NET applications do not display any content. RESOLUTION: List boxes and message boxes now display content as expected. 84. ISSUE: In some Lotus Notes configurations where user mail databases were located in varying locations, the Lotus Notes Scanner did not find a mailbox to scan. RESOLUTION: User mailboxes are correctly located, and the Lotus Notes scanner protects the database. 85. ISSUE: The user interface option that allows you to password-protect the "On-Access Scanner: Detection" page mistakenly protects both the On-Access Scan "Detection" and On-Access Scan "Set Exclusions" property pages. A user could not add exclusions. RESOLUTION: Choosing to protect the "On-Access Scanner: Detection" page from the "User Interface Options" now protects only the On-Access Scan "Detection" page. 86. ISSUE: A delay in responsiveness of the script engine would occur when executing scripts sequentially. RESOLUTION: Scripts terminate correctly, allowing the script engine to respond to subsequent script commands. 87. ISSUE: An "Access denied" error appeared in an application that used the "delete-on-close" flag when working with temporary files. The file system filter driver would lose track of the "delete-on-close" flag. RESOLUTION: The updated file system filter driver resolves this issue, allowing temporary files to be utilized as expected. 88. ISSUE: Null entries are seen in the ePolicy Orchestrator database under the severity field due to the VirusScan Enterprise 8.0i extended NAP file. RESOLUTION: The extended NAP file has been modified to correctly handle the severity field. 89. ISSUE: When disabled, the ScriptScan feature will remain registered and still handles VB Script and Jscript operations, even though it is not scanning. RESOLUTION: When the ScriptScan feature is disabled, the component is unregistered, and when enabled the feature is registered. 90. ISSUE: The error "Access Denied" is seen when accessing a remote share. This can occur when user profile information is redirected by a Microsoft Windows group policy object, and the user tries to save a file to their "My Documents" folder. RESOLUTION: The issue has been resolved in the updated common scan components. 91. ISSUE: In environments using Distributed File System shares, a noticeable increase in network traffic activity may be experienced. RESOLUTION: The file system filter driver has been updated to resolve the issue. 92. ISSUE: During shutdown the VSTSKMGR.EXE process may crash with an error similar to "VSTSKMGR.EXE – the exception privileged instruction 0x00000096 occurred in the application at location 0x0012e80d." RESOLUTION: An update to VSTSKMGR.EXE, the McTaskManager Service, resolves the issue. 93. ISSUE: After applying VirusScan Enterprise 8.0i Patch 11, when a system resumes from the hibernation power saving state, the on-access scanner may be paused. RESOLUTION: The on-access scanner now correctly is enabled when the system resumes from hibernation. 94. ISSUE: A vulnerability exists in the Common Management Agent (CMA) where an unexpected file can be run with system privileges. Communication between the VirusScan Enterprise plug-in and CMA can be utilized as a mechanism to exploit this vulnerability. RESOLUTION: The VirusScan Enterprise plug-in, VSPLUGIN.DLL, has been updated to prevent the potential exploit. 95. ISSUE: When accessing some Japanese named files with a long filename, the on-access scanner service, MCSHIELD.EXE, could crash or cause the accessing application to stop responding. RESOLUTION: MCSHIELD.EXE has been updated to resolve this issue. 96. ISSUE: The memory scan feature of an on-demand scan did not detect potentially unwanted programs that were resident in memory. The memory scan feature did not use the exclusion list. The memory scan feature failed to record when a detection was successfully cleaned. RESOLUTION: The issue has been resolved in the updated on-demand scan components. 97. ISSUE: After applying VirusScan Enterprise 8.0i Patch 11 where the Anti-Spyware Enterprise module is installed, the Cookie Scan feature detects the same cookie twice. RESOLUTION: The issue has been resolved in the updated common scan components. 98. ISSUE: In ePolicy Orchestrator, the "Top 10" virus report shows a "_" character as the virus name. RESOLUTION: The issue has been resolved in the updated common scan components. 99. ISSUE: If the ePolicy Orchestrator Agent is installed, the on-access scanner could crash when resuming from the hibernation power-saving state. RESOLUTION: The issue has been resolved in the updated on-access scanner. KNOWN ISSUES 1. Where the McAfee Anti-Spyware Enterprise (MASE) module is added to the ePolicy Orchestrator repository and the Deployment Task is configured to install the MASE module, after this Patch release is installed on client systems, the MASE module attempts to reinstall each time the Deployment Task runs. This is resolved by HotFix MASE80HF273746 included with this release. See the section "Additional Steps for Anti-Spyware Enterprise Module" for installation steps. 2. When installing locally, you may not be prompted to reboot after the installation. However, a reboot is necessary to unload the previous McAfee TDI filter driver and load the new driver. 3. Installing the Patch and specifying a log file path using the Microsoft Installer (MSI) switch "/L" does not log to the specified path. A log capturing full data is logged to the folder "NAILogs" under the Temp folder. 4. When using McAfee Installation Designer 8.0 to create a new installation package that includes this release, and you have VirusScan Enterprise 8.0i and a Microsoft Patch (MSP) installed locally (for example, Patch10.msp), the resulting package may not install to other systems. Install McAfee Installation Designer 8.1 or later, and create the new installation package that includes this release. 5. When installing this release interactively and canceling the installation on a system where a previous Patch was installed, after the rollback completes, the previous Patch no longer reports to ePolicy Orchestrator or displays in the "About VirusScan Enterprise" window. 6. If the Lotus Notes client is open when this release is installed, the installation completes successfully, but a reboot is required to replace the McAfee Lotus scanner files. The new files are not used until after a reboot. 7. If this release is removed from the ePolicy Orchestrator or Protection Pilot repository and a previous release is added, clients that have this release will run the previous package but will not replace any files. These client systems report that both Patch releases are installed. This issue is resolved for all future Patch releases. 8. After this release is added to the ePolicy Orchestrator or Protection Pilot repository, you cannot add HotFix 256862. This is expected behavior because HotFix 256862 is included in this release. FILES INCLUDED WITH THIS RELEASE This release consists of a package called VSE80P16.ZIP, which contains the following files: PKGCATALOG.Z = Package catalog file PATCH16.TXT = This text file VS800DET.MCS = VirusScan Enterprise detection script PACKING.LST = Packing list SETUP.EXE = Installer for this release SETUP.INI = Initialization file for SETUP.EXE PATCH16.MSP = Microsoft Installer Patch file VSE_NAP\VSE800.NAP = Management NAP file VSE_MASE_NAP\VSE800.NAP = Management NAP file VSE800REPORTS.NAP = Reporting NAP file MASE80HF273746\AS800DET.MCS = Anti-Spyware Enterprise Module Detection script* MASE80HF273746\PKGCATALOG.Z = Package catalog file* The following files are installed to client systems: BBCPL.DLL 8.0.0.1047 EMCFGCPL.DLL 8.0.0.1019 ENTAPI.DLL 8.0.0.455 ENTDRVnx.SYS** 8.0.0.455 ENTSRV.DLL 8.0.0.455 FTL.DLL 8.0.0.135 MCSHIELD.EXE 8.0.0.341 MIDUTIL.DLL 8.0.0.155 MVSTDInx.SYS** 11.0.0.121 MYTILUS.DLL 8.0.0.344 NAEVENTU.DLL 8.0.0.356 NAIANN.DLL 8.0.0.308 NAIAVFIN.EXE 11.0.0.125 NAIAVFnx.SYS** 11.0.0.125 NCDAEMON.EXE 8.0.0.1046 NCEXTMGR.DLL 8.0.0.1046 NCINSTALL.DLL 8.0.0.1046 NCMENU.DLL 8.0.0.1046 NCSCAN.DLL 8.0.0.1046 NCTRACE.DLL 8.0.0.1046 SCANEMAL.DLL 8.0.0.1041 SCRIPTPROXY.DLL 8.0.0.1012 SHCFG32.EXE 8.0.0.1036 SHSTAT.EXE 8.0.0.1040 SHUTIL.DLL 8.0.0.1036 VSIDSVR.DLL 8.0.0.291 VSODSCPL.DLL 8.0.0.1037 VSPLUGIN.DLL 8.0.0.1048 VSTSKMGR.EXE 8.0.0.1004 The following files are checked in to the ePolicy Orchestrator or Protection Pilot repository: VSE800.NAP *** 2.0.0.274 / 2.0.0.275 VSE800REPORTS.NAP 3.0.0.1001 * For use by customers with the McAfee Anti-Spyware Enterprise module. ** File name depends on operating system and processor architecture. *** The second version is for ePolicy Orchestrator or Protection Pilot environments that also have the Anti-Spyware Enterprise module. __________________________________________________________ INSTALLATION INSTALLATION REQUIREMENTS To use this release, you must have VirusScan Enterprise 8.0i software installed on the computer you intend to update with this release. NOTE: This release does not work with earlier versions of VirusScan software. INSTALLATION STEPS 1. Extract the Patch files from VSE80P16.ZIP to a temporary folder on your hard drive. 2. Double-click the file SETUP.EXE inside the temporary folder created in Step 1. 3. Follow the instructions of the installation wizard. INSTALLATION STEPS FOR ePOLICY ORCHESTRATOR 1. On the computer where the ePolicy Orchestrator 3.x console resides, extract the Patch files and folders from VSE80P16.ZIP to a temporary folder on your hard drive. 2. Open the ePolicy Orchestrator 3.x console and add the package from the temporary folder created in Step 1 to your repository. Consult "Checking in Package" in the ePolicy Orchestrator 3.0 Product Guide, or "Checking in PKGCATALOG.Z product packages to the master repository" in the ePolicy Orchestrator 3.5 Product Guide, for instructions on adding a package to the repository. The package type for this Patch is "Products or Updates." The next time an agent update task runs, the VirusScan Enterprise client automatically downloads and installs the Patch. 3. Skip ahead to Step 4 if you have already added the McAfee Anti-Spyware module NAP file to your repository. Add the management NAP file, VSE800.NAP, from the temporary folder created in Step 1 to your repository. NOTE: Add the VSE800.NAP from the appropriate subfolder, which is determined by whether you have the McAfee Anti-Spyware module installed. Consult the ePolicy Orchestrator documentation for instructions on adding new software you want to manage to the repository. 4. Add the reporting NAP file, VSE800REPORTS.NAP, from the temporary folder created in Step 1, to your repository by doing the following: a. In the ePolicy Orchestrator console, add the VSE800Reports.NAP file using the "Check in NAP" wizard. b. If applicable, log off from the Reporting console. c. In the ePolicy Orchestrator installation directory, delete the following: - REPORTVERSIONS.SQL file from the AVI directory. This must be done for all systems running the ePolicy Orchestrator console. d. Stop the ePolicy Orchestrator Server service and ePolicy Orchestrator Event Parser service. e. Restart the two services from Step d. f. Log on to the Reporting console using ePolicy Orchestrator authentication. g. Log on to the ePolicy Orchestrator console and the Reporting Console to view the VirusScan 8.0 reports. ADDITIONAL STEPS FOR ANTI-SPYWARE ENTERPRISE MODULE NOTE: These steps are not required if you have installed Common Management Agent version 3.5.5 Patch 1 or later. 1. On the computer where the ePolicy Orchestrator 3.x console resides, extract the MASE80HF273746 folder from VSE80P16.ZIP to a temporary folder on your hard drive. 2. Open the ePolicy Orchestrator 3.x console and add the package from the temporary folder created in Step 1 to your repository. INSTALLATION STEPS VIA MCAFEE INSTALLATION DESIGNER McAfee recommends that you use McAfee Installation Designer version 8.1 or later and follow this procedure: 1. Extract the files from VSE80P16.ZIP to a temporary folder on your hard drive. 2. Start McAfee Installation Designer, select "Create a new installation package," and select a source and destination folder for your installation package; then click "Next." 3. Go to the "Patch Files" section and click "Add." Browse to the temporary folder you created in Step 1, and select the file PATCH16.MSP. 4. Click "Finish" and "Save" in the McAfee Installation Designer to save a new installation package to the destination folder you specified in Step 2. VERIFYING INSTALLATION Always reboot prior to validating that a Patch has installed successfully. NOTE: Patch releases since Patch 10 do not display or report that the Patch is installed if an error occurred during installation, or if a file or files did not install correctly. 1. Open the VirusScan Console and choose "About" from the "Help" menu. The "About VirusScan Enterprise" window "Patch Versions" displays "16." After property information has been collected by ePolicy Orchestrator and Protection Pilot agents, the client systems show that Patch 16 is installed as the "Hotfix" version. If the value "HotfixVersions" is seen, it is a temporary value and will be removed after a full property collection from the client. 2. Confirm that the expected files are installed by checking the version number of individual files. File versions should match the list in "FILES INCLUDED WITH THIS RELEASE," above. __________________________________________________________ CONTACT INFORMATION THREAT CENTER: McAfee Avert(R) Labs Homepage http://www.mcafee.com/us/threat_center/default.asp Avert Labs Threat Library http://vil.nai.com/ Avert Labs WebImmune & Submit a Sample (Logon credentials required) https://www.webimmune.net/default.asp Avert Labs DAT Notification Service http://vil.nai.com/vil/signup_DAT_notification.aspx DOWNLOAD SITE Homepage http://www.mcafee.com/us/downloads/ - Product Upgrades (Valid grant number required) - Security Updates (DATs, engine) - HotFix and Patch Releases - For Security Vulnerabilities (Available to the public) - For Products (ServicePortal account and valid grant number required) - Product Evaluation - McAfee Beta Program TECHNICAL SUPPORT Homepage http://www.mcafee.com/us/support KnowledgeBase Search http://knowledge.mcafee.com/ McAfee Technical Support ServicePortal (Logon credentials required) https://mysupport.mcafee.com/eservice_enu/start.swe CUSTOMER SERVICE Web: http://www.mcafee.com/us/support/index.html http://www.mcafee.com/us/about/contact/index.html Phone: +1-888-VIRUS NO or +1-888-847-8766 Monday-Friday, 8 a.m.-8 p.m., Central Time US, Canada, and Latin America toll-free PROFESSIONAL SERVICES - Enterprise: http://www.mcafee.com/us/enterprise/services/index.html - Small & Medium Business: http://www.mcafee.com/us/smb/services/index.html _____________________________________________________ COPYRIGHT AND TRADEMARK ATTRIBUTIONS Copyright (C) 2007 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. TRADEMARKS ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N), ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), INTRUSHIELD, INTRUSION PREVENTION THROUGH INNOVATION, MCAFEE, MCAFEE (AND IN KATAKANA), MCAFEE AND DESIGN, MCAFEE.COM, MCAFEE VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN KATAKANA), NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN, VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. _____________________________________________________ LICENSE & PATENT INFORMATION LICENSE AGREEMENT NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. LICENSE ATTRIBUTIONS This product includes or may include: * Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). * Cryptographic software written by Eric A. Young and software written by Tim J. Hudson. * Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for any software covered under the GPL, which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. * Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. * Software originally written by Robert Nordier, Copyright (C) 1996-7 Robert Nordier. * Software written by Douglas W. Sauder. * Software developed by the Apache Software Foundation (http://www.apache.org/). A copy of the license agreement for this software can be found at www.apache.org/licenses/LICENSE-2.0.txt. * International Components for Unicode ("ICU") Copyright (C) 1995-2002 International Business Machines Corporation and others. * Software developed by CrystalClear Software, Inc., Copyright (C) 2000 CrystalClear Software, Inc. * FEAD(R) Optimizer(R) technology, Copyright Netopsystems AG, Berlin, Germany. * Outside In(R) Viewer Technology (C) 1992-2001 Stellent Chicago, Inc. and/or Outside In(R) HTML Export, (C) 2001 Stellent Chicago, Inc. * Software copyrighted by Thai Open Source Software Center Ltd. and Clark Cooper, (C) 1998, 1999, 2000. * Software copyrighted by Expat maintainers. * Software copyrighted by The Regents of the University of California, (C) 1996, 1989, 1998-2000. * Software copyrighted by Gunnar Ritter. * Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A., (C) 2003. * Software copyrighted by Gisle Aas. (C) 1995-2003. * Software copyrighted by Michael A. Chase, (C) 1999-2000. * Software copyrighted by Neil Winton, (C) 1995-1996. * Software copyrighted by RSA Data Security, Inc., (C) 1990-1992. * Software copyrighted by Sean M. Burke, (C) 1999, 2000. * Software copyrighted by Martijn Koster, (C) 1995. * Software copyrighted by Brad Appleton, (C) 1996-1999. * Software copyrighted by Michael G. Schwern, (C) 2001. * Software copyrighted by Graham Barr, (C) 1998. * Software copyrighted by Larry Wall and Clark Cooper, (C) 1998-2000. * Software copyrighted by Frodo Looijaard, (C) 1997. * Software copyrighted by the Python Software Foundation, Copyright (C) 2001, 2002, 2003. A copy of the license agreement for this software can be found at www.python.org. * Software copyrighted by Beman Dawes, (C) 1994-1999, 2002. * Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek (C) 1997-2000 University of Notre Dame. * Software copyrighted by Simone Bordet & Marco Cravero, (C) 2002. * Software copyrighted by Stephen Purcell, (C) 2001. * Software developed by the Indiana University Extreme! Lab (http://www.extreme.indiana.edu/). * Software copyrighted by International Business Machines Corporation and others, (C) 1995-2003. * Software developed by the University of California, Berkeley and its contributors. * Software developed by Ralf S. Engelschall for use in the mod_ssl project (http:// www.modssl.org/). * Software copyrighted by Kevlin Henney, (C) 2000-2002. * Software copyrighted by Peter Dimov and Multi Media Ltd. (C) 2001, 2002. * Software copyrighted by David Abrahams, (C) 2001, 2002. See http://www.boost.org/libs/bind/bind.html for documentation. * Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, (C) 2000. * Software copyrighted by Boost.org, (C) 1999-2002. * Software copyrighted by Nicolai M. Josuttis, (C) 1999. * Software copyrighted by Jeremy Siek, (C) 1999-2001. * Software copyrighted by Daryle Walker, (C) 2001. * Software copyrighted by Chuck Allison and Jeremy Siek, (C) 2001, 2002. * Software copyrighted by Samuel Krempp, (C) 2001. See http://www.boost.org for updates, documentation, and revision history. * Software copyrighted by Doug Gregor (gregod@cs.rpi.edu), (C) 2001, 2002. * Software copyrighted by Cadenza New Zealand Ltd., (C) 2000. * Software copyrighted by Jens Maurer, (C) 2000, 2001. * Software copyrighted by Jaakko Järvi (jaakko.jarvi@cs.utu.fi), (C) 1999, 2000. * Software copyrighted by Ronald Garcia, (C) 2002. * Software copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker, (C) 1999-2001. * Software copyrighted by Stephen Cleary (shammah@voyager.net), (C) 2000. * Software copyrighted by Housemarque Oy , (C) 2001. * Software copyrighted by Paul Moore, (C) 1999. * Software copyrighted by Dr. John Maddock, (C) 1998-2002. * Software copyrighted by Greg Colvin and Beman Dawes, (C) 1998, 1999. * Software copyrighted by Peter Dimov, (C) 2001, 2002. * Software copyrighted by Jeremy Siek and John R. Bandela, (C) 2001. * Software copyrighted by Joerg Walter and Mathias Koch, (C) 2000-2002. * Software copyrighted by Carnegie Mellon University (C) 1989, 1991, 1992. * Software copyrighted by Cambridge Broadband Ltd., (C) 2001-2003. * Software copyrighted by Sparta, Inc., (C) 2003-2004. * Software copyrighted by Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, (C) 2004. * Software copyrighted by Simon Josefsson, (C) 2003. * Software copyrighted by Thomas Jacob, (C) 2003-2004. * Software copyrighted by Advanced Software Engineering Limited, (C) 2004. * Software copyrighted by Todd C. Miller, (C) 1998. * Software copyrighted by The Regents of the University of California, (C) 1990, 1993, with code derived from software contributed to Berkeley by Chris Torek. V3.1.5